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[57] ABSTRACT 

A method for encrypting a plaintext string into ciphertext 
begins by cipher block chaining (CBC) the plaintext using a 
first key and a null initialization vector to generate a CBC 
message authentication code (MAC) whose length is equal 
to the block length. The plaintext string is then cipher block 
chained again, now using a second key and the CBC-MAC 
as the initialization vector, to generate an enciphered string. 
The CBC-MAC and a prefix of the enciphered string com- 
prising all of the enciphered string except the last block arc 
then combined to create the ciphertext. The described mode 
of operation is length-preserving, yet has the property that 
related plaintexts give rise to unrelated ciphertexts. 

20 Claims, 3 Drawing Sheets 
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BLOCK CIPHER MODE OF OPERATION just changed from Lhe 7th rccovd oa. Perhaps it it is known 

FOR SECURE, LENGTH-PRESERVING ^ priori that the reason for this change was the update of an 

ENCRYPTION employee record due to someone having been demoted. If 

the undo-lying encryption method is E^ jy, and the enaployee 

TECHNICAL FIELD 5 records are in alphabetical order by employee name* then 

_ . . ^. , . „ * one can infer that the affected employee is the 7th one in 

The present invention relates generally to secure commu- «! lah^dcal d 

nications and more particularly to computer-implemented alpnaoc 01 a. . 

methods to encrypt plaintext into ciphertext. The above-described characteristic of CBC encrypUon to 

"leak" information about plaintexts could be addressed by 

BACKGROUND OF THE INVENTION 10 choosing the initialization vector IV at random and then 

T . , „ * J **. ► sending it along with the message. However, when this is 

It has been eenerally accepted that encryption schemes 1 , .t. 

T7 ^ ft ^ • li* Ti,- „f done the scheme is no longer length-preserving, 

exhibitmg certain proparues are often d«u^le. Tlie first of ^^^^^^j ^ ^^^^ ^ ^ ^^^^ be made 

thcscprop<^esiSthatlhecncrypdnganddec^^ history-dependen, (e^by using IV as a function of a 

trons are detenmmsUc, as opposed to probabOisac because ^ ^ ^ « sending IV with the message); but 

in many environments there is no avai able or trusthworthy an . , , ^ . ... «f 

^ ^ " ,^ . , . . „. . ^. ,^K*«,^ this approach is also unsatisfactory because it is intolerant of 

source of randonmess. It IS also desirable that the scheme be l i^u ■ * j j • • * 

^: ^ / . . . ,x . ^ r.^t o noQ-rcceipt of messages by the intended recipient, 

history -free (not stateful) so that parties need not store a . ^ © / r 

message counter or other information that must be updated Thus, prior art encryption techmques that use block 

after each encryption or decryption. The scheme should also „ ciphCTS are undesirable in that they are length-inaeasing. 

be "secure" in that it effectively hides aU information about intolerant of messages bemg dropped, or leak information 

the plaintext. Lastly, it is desired that the scheme be length- about related plaintexts. There remains a need to provide a 

preseiving, i.e. the length of the ciphertext should equal the secure. Icngth-preseiring encryption scheme usmg block 

length of the plaintext. ciphers that overcomes these and other problems in the art 

Block ciphers arc weU-known cryptographic tools that arc 25 BRIEF SUMMARY OF THE INVENTION 
often used to implement general encryption schemes. A 

block cipher is a symmetric key cryptosystera that trans- it is therefore a principal object of the invention to provide 

forms message (plaintext) blocks of fixed length (of "1" bits) g method of encrypting a plaintext string that is deterministic 

into ciphenext blocks of the same length under the control and history-free. 

of a key (of "k" bits). A widely used block cipher is frovided 30 ^ another object of the invention to provide a block 

by the U.S. Standard DES algorithm, which has 1=64 and ^,.pj^^ operation for encryption wherein the length 

k^56. and is described in NBS FIPS Pub 46. titled "Data dphertext is the same as the length of the plaintext 

Encryption Standard", National Bureau of Standards, U.S. ^^^^ encrypted 

D^artment of Commerce, January 1977^ Block ciph«s like ^^^^ ' .^^^^^^^ ,^ 

DES provide a way to encrypt a smgle Wod' (^-g^ 64-bits^ 33 ^u^h a length-prying enaction scheme that does not 

of text But to encrypt ong« messages the c,ph« Mon^tioa about plaintexts that are being encrypted. 

must be used in some *1node of operatioa Many such .. .. 

modes of operation have been described in the prior art, with ^ is another particular object of the mvenUon to provide 

the most widely used one being Cipher Block Chaining a message encryption scheme that is history-free, so that 

(CBC). CBC is described in NBS FIPS Pub 81, tiUed "DES ^ Parties do not store a message counter or other informauon 

Modes of Operation\ National Bureau of Standards, U.S. that must be updated after each encrypUon or decryption. 

Department of Commerce, December 1980. CBC and other It is a further specific object of the invention to provide a 

known modes, however, are either length-increasing or length-preserving encryption scheme based on a novel appli- 

suffer from the weakness that distinct reUted plaintexts give cation of Cipher Block Chaining (CBC) and that overcomes 

rise to related ciphertexts. Many application domains that the known security and bformation leakage problems asso- 

cannot tolerate the former have their security effectively ciated with CBC encrypUon. This technique is highly advan- 

compromised by the latter. tageous in that modification of a ciphertext message to a 

Cipher Block Chaining (CBC) requires the use of a secret ciphertext message not yet seen produces the encryption of 

key as wcU an '^initiaUzation vector" (IV). With an 1-bit IV an underyling message unrelated to those then seen, 
(the value of which is sent with the message or is otherwise 50 It is a further object of the invention to provide new and 

known by both coramunicadng parties), a string x=X; . . . x„ nonobvious methods of encrypting plaintext message strings 

(consisting of n blocks, each of 1 bits) is then encrypted as that have lengths that are multiples of or fraaions of a block 

E«yv(x>=yi . . . y„, where yo=rV and yr=f,(x, © y,,i). In a length, 

CBC scheme, the first block of the ciphertext depends on the These and other objects of the invention are achieved in 
first block of the plaintext, the second block of the ciphertext 55 a method, using first and second secret keys, to encrypt a 

depends on the first two blocks of the plaintext, and so on, plaintext string to a ciphertext string. The method begins by 

with the last block of the ciphertext depending on all of the cipher block chaining the plaintext string using the first key 

blocks of the plaintext Such encryption, however, has a and a fixed initialization vector to generate a CBC message 

well-known drawback in that it is not secure enough when authentication code (CBC-MAC) of length equal to the 
IV is fixed. 60 block length. Thereafter, the method continues by cipher 

In particular, the CBC method often "leaks" information block chaining the plaintext string using the second key. and 

about plaintexts that are being encrypted. For example, if an using the aforementioned CBC message authentication code 

adversary sees E^j^) and E^j^X), and notices that they as the initialization vertor, to thereby generate an cDciphered 

agree in lhe fiirsl j blocks, then the adversary can infer that string. The CBC message authentication code and a prefix of 
X and X* also agree in the first j blocks. Such deficiencies are 65 the enciphered string are then combined (typically by 

quite problematic. Thus, suppose that a file consisting of a concatentation) to form the ciphertext string. Preferably, the 

sequence of 1 KByte employee reccrds is noticed to have technique is length-preserving; the prefix includes all but the 
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final bJock so that the length of the dphertext is equal to the 
length of the plaintext 

Thus according to the preferred method the plaintext 
string is processed using CBC twice, first lo generate the 
CBC-MAC, and then to generate a portion of the ciphertext 
itself. In the first pass, the initialization vector used in the 
CBC is the null vector (meaning a string of 0-bits having 
length equal to the block length). In the second pass, the 
initialization vector is the CBC-MAC generated in the first 
pass. The keys arc distinct for the two passes. The method 
is useful for generating ciphertext when the plaintext string 
has a length that is a multiple of a length of a block. A variant 
of the scheme can be used when the plaintext string has a 
length that is a fraction of the block length. 

To decrypt the ciphertext, the cnciphcrtd string portion 
thereof is cipher block chained using the second key and the 
CBC-MAC as the initialization vector to generate a deci- 
phered string. Tlie deciphered string is then cipher block 
chained using the first key and a null IV to generate a string 
having a last block. The plaintext is then taken as the 
combination (e.g., by concatenation) of the deciphered 
string and a predetermined function (e.g., an XOR) of the 
last block, and the inverse of the block cipher under the first 
key at the CBC-MAC. 

Another object of the invention is to implement such 
methods in a programmed computer or in dedicated hard- 
ware OT software. In one embodiment, the various methods 
of the invention may be implemented on a program storage 
device (e.g.. a floppy diskette) that is readable by a processor 
and that tangibly embodies a program of instructions execut- 
able by the processor to pcrfoffm the various process steps of 
each method. 

The foregoing has outlined some of the more pertinent 
objects of the present invcotion. These objects should be 
construed to be merely illustrative of some of the more 
prominent features and applications of the invention. Many 
other beneficial results can be attained by applying the 
disclosed invention in a diffacnt manner or modifying the 
invention as will be described. Accordingly, other objects 
. and a fuller undcxstaading of the invention may be had by 
referring to the following Detailed Description of the pre- 
ferred embodiment 

BRIEF DESCRffTION OF THE DRAWINGS 

For a more complete uodcxstanding of the present inven- 
tion and the advantages thereof, reference should be made to 
the following Detailed Descriptioo taken in connection with 
the accompanying drawings in which: 

FIG. 1 illustrates a computer comprising a system unit, a 
keyboard, a mouse and a display, for use in implementing 
the encryptioD and decryption methods of the present inven- 
tion; 

FIG. 2 is an architectural block diagram of the computer 
illustrated in FIG. 1; 

FIG. 3 illustrates a simplified flow diagram of a method 
of the invendoQ for cnaypting a plaintext into dphertext; 

FIG. 4 illustrates a simplified flow diagram illustrating 
how the ciphertext (generated in FIG. 3) is converted back 
to plaintext; 

FIG. 5A illustrates step 70 of FIG. 3; 

FIG. 5B aiustrates step 72 of FIG. 3; 

FIG. 5C illustrates step 76 of FIG. 4; 

FIG. 5D illustrates step 78 of FIG. 4; and 

FIG. SB illustrates step 80 of FIG. 4. 
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20 



DETAILED DESCRIPTION 

By way of brief background, a computer for use in 
supporting the invention is shown in FIG. 1. The con4>utcr 
20 comprises a system unit 21, a keyboard 22. a mouse 23 
and a display 24. The screen 26 of display device 24 is used 
to present a graphical user interface (GUI). The graphical 
user interface supported by the operating .system allows the 
user to use a point and shoot method of input, i.e.. by moving 
the mouse pointer 25 to an icon representing a data object at 
a particular location on the screen 26 and pressing on the 
mouse buttons to perform a user conmiand or selectioD. 

FIG. 2 shows a block diagram of the components of the 
personal computer shown in FIG. 1. The system unit 21 
includes a system bus or plurality of system buses 31 to 
which various components are coupled and by which com- 
raunicatioD between the various components is accom- 
plished. The microirocessor 32 is connected to the system 
bus 31 and is supported by read only memory (ROM) 33 and 
random access memory (RAM) 34 also connected to system 
bus 31. 




30 



40 



^^yj^tetmE^^^^Su^^^^oT^giPand 
offi'^g^ePtS^^iffEffieS^cifi^^^fe. 

The ROM 33 contains among other code the Basic 
Input-Output system (BIOS) which controls basic hardware 
operations such as the interactioD and the disk drives and the 
keyboard. The RAM 34 is the main memory into which the 
opcratiDg system and q)plication programs are loaded. The 
35 memory management chip 35 is connected to the system bus 
31 and controls direct memory access operations including, 
passing data between the RAM 34 and hard disk drive 36 
and floppy disk drive 37. The CD ROM 42. also coupled to 
the system bus 31. is used to store a large amount of data, 
e.g., a multimedia program or large database. 

Also connected to this system bus 31 are various I/O 
controllers: the keyboard controller 38, the mouse controller 
39, the video controller 40, and the audio controller 41. The 
keyboard controller 38 provides the hardware interface for 
the keyboard 22. the mouse controller 39 provides the 
hardware interface for the mouse 23, the video controller 40 
is the hardware interface for the display 24. and the audio 
controller 41 is the hardware interface for the speakers ISa 
and 2Sb. An VO controller 50 such as a Token Ring Adapter 
enables conmiuni cation over the local area network 56 to 
other similarly configured data processing systems. 

One of the preferred implementations of the present 
invention is as a set of instructions in a code module resident 
in the random access memory 34. Until required by the 
computer system, the set of instructions may be stored in 
another computer memory, for example, in the hard disk 
drive 36. or in a removable memory such as an optical disk 
for eventual use in the CD ROM 42 or a in a floppy disk for 
eventual use in the floppy disk drive 37. In addition, 
60 although the various methods described are conveniently 
implemented in a general purpose computer selectively 
activated or reconfigured by software, one of ordinary skill 
in the art would also recognize that such methods may be 
carried out in hardware, in firmware, or in more specialized 
apparatus constructed to perform the required method steps. 

As used herein, the inventive method is designed to be 
in^lemented on a computer such as shown in FIG. 1 
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aimough it should be appreciated thai the wocq ''computer" 
is to be afforded its broadest scope and meaning to include 
any type of device or part thereof that provides a computing 
functionality regardless of the particular application. 

Turning now to FIG. 3, the prefcircd method for encrypt- 
ing a plaintext string into cipheitext is illustrated by means 
of a flow diagram. It is assumed that the encryptiiig party and 
the decryp>ting party share a pair of secret keys (i.e, a first 
and a second key). At step 70, the plaintext string is cipher 
block chained using the first (secret) key and a null initial- 
ization vector (IV) to generate a CBC message authentica- 
tion code (MAC) that is the (entire) last block of ciphcrtcxt 
At step 72* the plaintext string is again cipher block chained, 
now using the second (secret) key and the CBC-MAC 
(generated in step 70) as the initialization vector, to thereby 
generate an enciphered string. At step 74. the CBC-MAC 
(generated in step 70) and a portion of the enciphered string 
(generated in step 72) are then combined to create the 
ciphcrtcxt The portion of the enciphered string is also 
refeired to as a **prefix". This combination is further a 
function of the first key. 

Decryption of the ciphertext (generated by the routine of 
FIG. 3) is illustrated in RG. 4. At step 76. the enciphered 
string (generated in step 72) is decrypted by cipher block 
chaining using the second secret key and the CBC-MAC 
(generated in step 70) as the initialization vector. Step 76 
generates a deciphered string. At step 78, the deciphered 
string is then cipher block chained using the first key and a 
null rv to generate another string having a last block. At step 
80. a predetermined function of this last block and the 
inverse of the block cipher at the CBC-MAC (generated in 
step 70) under the first key is then calculated. The plaintext 
is then formed at step 82 as the combination (i.e., the 
concatenation) of the deciphered string and the result of the 
predetermined function. 

The operations in each of the steps 70 and 72 of the 
encryption routine are illustrated in FIGS. 5 A and 5B, 
respectively. The routine uses an 1-bit block cipher f (like 
DBS) with key length L We writer f^(x) for the 1-bit string 
which is the block cipher *s value applied to the 1-bit x using 
the k-bit key a. Further, as noted above, it is assumed at the 
outset that the first and secret keys a^ and ai are available to 
the routine and that lait=lail=k. The keys can be derived from 
some underlying k-bit key K using standard key separation 
techniques. For example, could be the first k bits of f ^^0) 
and ai could be the first k bits of f^l). In FIG. 5A, the 
plaintext string consists of the message siring x, which for 
illustrative purposes is assumed to be comprised often (10) 
blocks of sixty -four (64) bits each, or 640 bits total. The 
message string is thus x=XtX^ • ■ - ^lo- string is applied 
to the cipher block chaining encryption routine 82, which 
also receives the first key a^ and a null initialization vector 
(i.e., TV=0), The result of the cipher block chaining routine 
82 is an output string y=yiy2 • • • yio- ^st block y^^ is 
the 64-bit cipher block chaining message authentication 
code or "CBC-MAC" This completes the first pass of the 
routine. 

The second pass is shown in FIG. SB wherein the message 
string (i.e., the plaintext) is again supplied to the cipher 
block chaining encryption routine 82. However, in this pass, 
the key used by the routine is the second (secret) key a^, and 
the initialization veaor is the CBC-MAC (i.e.. y,©) gener- 
ated in the first pass illustrated in FIG. 5A. The resulting 
enciphered string is called y'=y'iy'a . . . y'lo* This processing 
completes the second pass. Note that although the block 
cipher f shown in FIGS, 5A and 5B is shown to be the same, 
this is not required. The ciphertext is then taken to be the 
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combination (e.g.. by concatenation) of the CBC-MAC and 
a portion of the enciphered string, namely: 

5 cipbCTtext=y,oj|3»'iy',. . . 

The routine is length preserving since the length of the 
ciphertext is the same as the length of the plaintext string. 

To decrypt the 10-block string y, we first consider it to be 
a sequence of blocks: 

yiclt/ij''2- • • y'9- 

The operations in each of the steps 76, 78 and 80 of the 
J 5 decryption routine are then as illustrated in FIGS, 5C* 5D 
and 5E, respectively. As shown in FIG. SC. step 76 invdvcs 
CBC decryption 84 of the enciphered string y'ly'j ... y'9 
(generated in step 72) with the second key di and die 
CBC-MAC (i.e., y^o) as the IV. The resulting deciphered 
2Q string is x^x, . . . Xj^, which represents almost all of the 
original plaintext. To recover Xiq, the decryption routine first 
carries out the operation shown in FIG. 5D. wherein the 
deciphered string x 1X2 ... is cipher block encrypted (by 
CBC 84) using the first key and a null IV to generate a 
25 string yiy2 . ■ . Ys) having a last block yg. As seen in FIG, 5E. 
a predetermined function 86 (e.g.. an XOR) of y^ and an 
inverse function of the block cipher f under the first key 
al the point y^o is then calculated to generate x^^. The 
plaintext is then seen as the following: 

30 

plaiateit^t,jc2 . , . x^Wk^q 

The preferred implementation illustrated above utilizes 
cipher block chaining as the mode of operation for the block 

35 cipha in steps 72 and 76. The invention, however, is not so 
limited, as other modes of operation may also be used for 
these steps. Moreoever. although cipher block chaining is 
preferably used in the first pass (step 70) over the plaintext 
to create the message authentication code, it should be 

40 appreciated that other known techniques for producing 
MAC'S (or other block cipher chaining modes) could be 
substituted in this step instead of CBC. (All that is necessary 
is that, given the 1-bit MAC of m and all but particular 1-bits 
of m, those missing 1-bits can be eflScienUy and uniquely 

45 reconstructed). Thus, according to the invention it is envi- 
sioned that the first pass that processes the plaintext string 
involves a known technique that uses the first key ao for 
computing a message authentication code or tag. As dis- 
cussed above, the second pass theu involves using this MAC 

50 as an IV along with a second key ai to encrypt the message 
into an enciphered string. Thi s second pass can be performed 
using CBC, but this is not required. The MAC and a portion 
of die encif^ered string is then taken as the ciphcrtcxt. 
Thus, in accordance with the more general aspects of the 

55 invention, encryption involves using the plaintext string and 
a first key to compute a message authentication code. The 
routine continues by using the message, a second key, and 
the message authentication code to produce an enciphered 
string that depends substantively on the message authenti- 

60 cation code. As used herein, such "substantive" dependence 
means that all bits of the enciphered string may vary as the 
MAC takes on different values. The ciphertext of the plain- 
text is then taken to comprise the message authentication 
code together with some piece of the enciphered string. To 

65 reverse the process, the decryption routine involves using 
the enciphered string portion of the ciphertext. the second 
key and the MAC to generate a deciphered string. Decryp- 
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ticn continues by usiug the deciphereu otring and the fifsi 
Icey to produce a string having a last block A predetermined 
function of the last block and the inverse of the block cipher 
under the first key at the MAC is then conaputed The 
plaintext is then taken as the deciphered string and the result 5 
of the predetermined function. 

A more detailed implementation of the invention is now 
set forth. This implementation processes message strings 
whether or not the length of the particular string being 
processed is equal to or a fraction of a desired block length, lo 
The method begins by selecting a 1-bit block cipher f with 
key length k. For example, 1 is 64 when f is the DBS 
algorithnL Of course, other block ciphers (e.g., IDEA or 
SKIPJACK) besides DBS may be used as well. Let the 
encryption key be a=(ao.a^), with taot=lail=k, and let A. 15 
denote the empty string (with 0°=^,). Secret keys a^ and 
should be unrelated to each other (at least with respect to 
practical conq>utation). Let (m) denote the encoding of the 
number m<2' into an I-bit block. For a string m^^^ . . . 
consisting of s blocks » each of 1-bits, the (1-bit) CBC-MAC 20 
of m under a^ is then defined by: 

Now suppose X is the message we want to encrypt and ^ 
l^!xl<2'. Let x=Xi . . . x„_,x„ be the message to be encrypted, 
with IXjk . . . =:tx^,^M and lx„l^l. Note the assumption 
IxJ^l implies that there is at least one *full" block to 
encrypt. The following method is not to be applied to 
messages of length less than 1. Let 

The above step first pads the message string with trailing 35 
zeros to insure that the overall length of the string being 
encrypted is a multiple of the block length, and then it sw^s 
the (previously short) last block of x with the second-io-last 
(full) block of X. (This step is not required if the length of 
the message is a multiple of the block length). Now let ^ 



Note that lx*Nxl=L 

The encryption scheme E„(.) is as follows: 45 

• Step 1. Let t^f^^'^'Hx') be the 1-bil CBC-MAC of x' 
under ao- 

• Step 2. Encipher x* as follows. Let yo=t (Le., the 

initialization vector). Then for i=l n-2 let yi/aj(x,. 0 

y,.i)FinaUy,if lxj=lletyj'ai(x„8y„.2); else(i.e. l^lx„l<l) 50 
let y^ be the XOR of x„ with the first lx„l bits of\{y„.^. 
This encryption method is an extension of the CBC mode of 
operation to allow for variable-length blocks. (When the 
block cipher is DES, this method has been called the IBM 
CUSP/3848 mechanism). 55 

• Step 3. Define E^(x)=t yi . . . y„^2 Vn- That is, the 
eocryption of x is t together widi die enciphered text from 
Step 2. 

DccryptioD is done as foUows, with y=t y^ , . . y„,2 y„ the 
received dphertext: 60 

O Step 1. Recover x* by deciphering under key a^ the 

dphertext yi • • • y^-i y„. That is. let yo=t and for i=l 

n-2 let Xf=r \y^)0y,.i. Then, if ly„l=L then lei x„=aj 
f"'(y«)ey«.2; else (i.e. l^lyj<l) let x„ be the aj 

XOR of y„ with the first ly„l bits of f^i(y„ 2). 65 

• Step 2. To recover x^^ . let t'=f^^'*\lytXi . . . x„.2 x^O'-^) 
and let x„.,=f^-'(t)© t'. 
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Tnc recovered plaintext is x^ . , . x„. 

The present Invention provides sigiiificant advantages in 
that the encryption is length-preserving, non-stateful, deter- 
ministic and secure. Related encryption methods can be 
designed in order to achieve not only these initial set of 
requirements but further to insure that the methods are fully 
parallelizabie, either in hardware or in software. For 
example, the MAC t can be computed by a *tree MAC" 
scheme as described in U.S. Pat. No. 4.933.969 to Marshall 
et al, incorporated herein by reference. Then, the encipher- 
mcnt may involve simply XORing the message x with the 
length-lxl prefix of f^(i) f^((i+l)mod2') f^((i+2)mod2') .... 
Under such an embodiment, doubling the numba of pro- 
cessors effectively doubles the rate at which the eodphered 
text can be computed. 

The particular applications of the methods detailed herein 
are quite varied. For example, the techniques are useful for 
encrypting a field of a protocol data unit, encrypting a file in 
a manner indcpendeot of the "i-oode'* of the fde, or encrypt- 
ing a disk sector independent of the position of the sector in 
the physical media. The first example typically arises when 
there is some fixed communications protocol that has left 
some ninnber of message bits available, yet provided no 
security. It is desired to add security but without changing 
the number of bits of eadi field. In otha words, it is desired 
to be able to send, encrypted, all of the message which was 
formally transmitted in the clear. 

It should be apprcdated by those skilled in the art that the 
specific embodiments disclosed above may be readily uti- 
lized as a basis for modifying or designing other routines for 
carrying out the same purposes of the present invention. 
Those skilled in the art will recognize that such equivalent 
techniques and embodiments do not depart from the spirit 
and scope of the invention as set forth in the appended 
claims. 

What is daimed is: 

1. A computer-implemented method, using first and sec- 
ond keys, to encrypt a plaintext string x to a ciphertext string 
F, comprising the steps of: 

using the string x and the first key a© to compute a 
message authentication code t; 

using the string x, the second key a^. and the message 
authcnticatioD code t to produce an enciphered string y' 
that depends substantively on the message authentica- 
tion code; and 

taking the dphertext y to comprise the message authen- 
tication code t together with a predetermined piece of 
the endphered string y'. 

2. The computer-impleraeoted method as described in 
claim 1 wherein said predetermined piece is shorter than y' 
yet the plaintext string is still uniqudy recoverable given the 
ciphertext 

3. The computer-implemented method as described in 
claim 1 wherciD the message authentication code is com- 
puted by cipher block chaining a block cipher. 

4. The computa-iii4>lcmcntcd method as described in 
claim 2 wherein the block cipher is DES. 

5. The computcr-inqjlcmentcd method as described in 
claim 2 wherein the predetermined piece of the endphered 
string includes all but a last block of the endphered string. 

6. The computer-implemented method as described in 
claim 2 wherein the message authentication code has a 
length equal to a block length. 

7. A method, using first and second keys, to encrypt a 
plaintext string to a ciphertext string, comprising the steps 
of: 

(a) dphcr block chaining (CBC) the plaintext string using 
the first key and a first initialization vector (IV) to 



12/03/2003, EAST version: 1.4.1 



5,673.319 



10 



10 



20 



25 



generate a CBC message auihenrication code whose 

length is equal to a block length; 
<b) cipher block chaining the plaintext string using the 

second key and the CBC message authentication code 

as a second initialization vector to generate an enci- 5 

phered string; and 
(c) combining the CBC message authentication code and 

a predetermined portion of the enciphered string to 

form the ciphertext string. 

8. The method as described in claim 7 wherein the 
predetermined portion of the enciphered string includes all 
but a last block of the enciphered string. 

9. The method as described in claim 7 wherein the first 
initialization vector is the null vcaca:. 

10. The method as described in claim 7 wherein the 
plaintext string has a length that is a multiple of a length of 
a block. 

11. The method as described in claim 7 wherein the 
plaintext string has a length that is not equal to a multiple of 
a length of a block. 

12. The method as described in claim 7 wharein step (c) 
concatenates the CBC message authentication code and the 
predetermined portion of the enciphered string to form the 
ciphertext string. 

13. The method as described in claim 7 wherein the 
ciphertext string has a length equal to the plaintext string. 

14. The method as described in claim 7 wherein the first 
and second keys are derived from an underlying secret key. 

15. A method, using first and second keys and a block 
df^er, to decrypt a ciphertext string into a plaintext string, 
the ciphertext string comprising a CBC message authenti- 
cation code and an enciphered string, comprising the steps 
of: 

(a) decrypting by cipher block chaining the enciphered 
string using the second key and the CBC message 
authentication code as an initialization vectcr to gen- 
erate a deciphered string; 

(b) cipher block chaining the deciphered string using the 
first key and a null initialization vector to generate a 40 
string having a last block; 

(c) calculating a predetermined function of the last block 
and an inverse of the block cipher under the first key at 
the CBC message authentication code; and 

(d) combining the deciphered string and a result of the *^ 
predetermined function to generate the plaintext string. 

16. The method as described in claim 15 wherein the 
block cipher is DES. 

17. The method as described in claim IS wherein the 
predeterraiocd function in step (c) is an exclusive OR. ^ 

18. A computer apparatus, comprising: 
a storage dc^icc; 

program means supported in the storage device for 
encrypting a plaintext string x to a ciphertext string y, 
the FHTOgram means comprising: 
means for using the string x and a first key a^ to 
compute a message authentication code t; 



means for using the striiig x, a second key a/, and the 
message authentication code t to produce an enci- 
phered string y'; and 

means for taking the ciphertext y to comprise the 
message authentication code t together with a pre- 
determined piece of the enciphered string y\ where 
said predetermined piece is shorter than y'. 

19. A computes:, comprising: 
a storage device; 

program means supported in the storage device for 
decrypting a ciphertext string into a plaintext string, the 
ciphertext string comprising a CBC message authenti- 
cation code and an enciphered string, the program 
means comprising: 

means for decrypting the enciphered string by cipher 
block chaining the enciphered string using a secret 
key and the CBC message authentication code as an 
initialization vector to generate a deciphered siring; 

means for cipher block chaining the deciphered string 
using a second secret key and a null initialization 
vector to generate a string having a last block; 

means for calculating a predetermined function of the 
last block and an inverse of a block cipher evaluated 
using the second secret key; and 

means for combining the deciphered string and the 
predetermined function to generate the plaintext 
string. 

20. A program storage device readable by a processor and 
tangibly embodying a program of instructions executable by 
the processor to perform encryption and decryption 
methods, using first and second keys and a block cipher, 
wherein the encryption method comprises the steps of: 

(a) cipher block chaining (CBC) a plaintext string using 
the first key and an initialization vector (IV) to generate 
a CBC message authcoticatioa code; 

(b) cipher block chaining the plaintext string using the 
second key and the CBC message authentication code 
as the initialization vector to generate an enciphered 
string; and 

(c) combining the CBC message authentication code and 
a portion of the enciphered string to form a ciphertext 
string; 

and wherein the decryption method comprises the steps 
of: 

(a) cipher block: chaining the enciphered string using the 
second key and the CBC message authentication code 
as the initialization vector to generate a deciphered 
string; 

(b) cipher block chaining the deciphered string using the 
first key and a null initialization vector to generate a 
string having a last block; 

(c) calculating a predetermined function of the last block 
and an inverse of the block cipher under die first key at 
the CBC message authentication code; and 

(d) combining the deciphered string and the predeter- 
mined function to generate the plaintext string. 
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CERTIFICATE OF CORRECTION 

PATENT NO : ^^^^3 3,^. 

DATED : September 30, 1997 
INVENTOR(S): Bellare et al 

It is certified thai error appears in the above-identified patent and that said Letters Patent 
is hereby corrected as shown below: 



Column 7, I 

7. 1 
7, 1 
7, 1 
7, I 
7, 1 
7, 1 

7, 1 
7, 1 
7, 1 
7, 1 
7, 1 
7, I 

7, 1 

8, I 



ne 24, please delete "fj^^ " and insert —f'^ — ; 

ne 26, please delete "1 ^' and insert -- / < ~; 
ne 27, please delete "=1" and insert -- = / — ; 
ne 27, please delete "| gl" and insert - | < / --, 
ne 28, please delete "| ^1" and insert 1 > / --; 
ne 44, please delete "=1" and insert — = / — ; 
ne 46, please delete "/J"' " " and insert --f^*" - ; 

ne 46, please delete "1-bit" and insert -- /-bit--; 

ne 50, please delete "| =1" and insert — | '= /-; 

ne 50, please delete "1 ^ |Xn|<l j and insert - 1 < lxn|< / )—, 

ne 63, please delete "=1" and insert — = / ~; 

ne 64, please delete "1 ^ |yn|<l)" and insert - 1 < |y„|< / )— ; 

ne 66, please delete - and insert - i ' - ," 

ne 67, please delete and insert -r' 

ne 38, please delete "F/' and insert — y,-/' 
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